View Full Version : $_REQUEST or $_POST

09-20-2011, 02:50 PM

I made much sites with $_POST but recently i heard that $_REQUEST is much safer to use (I don't know tbh)

Do some of you know what is better? And why?


09-20-2011, 02:52 PM
$_REQUEST contains: $_COOKIE, $_GET, and $_POST variables

if you use $_REQUEST you have no guarantee that the data came from the post data, which leads to security holes in your script

also, if the is a $_GET['var'] = 'foo'; and $_POST['var'] = 'something else'; the $_REQUEST['var'] would be the last one set (i think, not 100% positive)

Basically... never use $_REQUEST, use $_POST for post method forms, $_GET for query string and get method forms, and $_COOKIE to handle cookies.

09-20-2011, 02:55 PM
Thanks for the fast reply.

I already thought something like that. (That the variable will be overwritten)

09-20-2011, 03:34 PM
$_REQUEST contains: $_COOKIE, $_GET, and $_POST variables

From php5 $_COOKIE was dropped. It now containts just $_GET and $_POST.

09-20-2011, 03:55 PM
From php5 $_COOKIE was dropped. It now containts just $_GET and $_POST.

I don't think that's accurate. Do you have a reference for this?

09-20-2011, 03:56 PM
Its also worth considering: the only reason to use $_REQUEST is when you don't know where your information will be coming from, and if you don't know where your data is coming from, you should rethink your design.

09-20-2011, 03:57 PM
I don't think that's accurate. Do you have a reference for this?

According to PHP documentation, it still contains _COOKIE.

09-20-2011, 03:57 PM
When i look at the php site:

It still says $_COOKIE is included

09-20-2011, 04:01 PM
I seem to remember being told over at sitepoint that $_COOKIE had been dropped as of v5 / v5.3.

Perhaps someone has got this wrong then. Doesn't really worry me as I've never used $_REQUEST - I always use $_HTTP = $_GET + $_POST

Found something which rang a bell:

This directive describes the order in which PHP registers GET, POST and Cookie variables into the _REQUEST array. Registration is done from left to right, newer values override older values.

If this directive is not set, variables_order is used for $_REQUEST contents.

Note that the default distribution php.ini files does not contain the 'C' for cookies, due to security concerns.

I knew I'd read about this at more than one place. I've also just done a var_dump($_REQUST) on my system and it never displayed any php session cookie.

09-20-2011, 05:19 PM
As mentioned, $_REQUEST, it MAY still contain cookie if C is specified in request_order. That is new as of 5.3.0 if I'm not mistaken.

Generally speaking, request should always be avoided. Its better to know where something has come from than to assume that its from one or the other. In the event it can come from either, I'd still check _GET first, then _POST. This is specifically because the order can be modified and I do not want to rely on _POST overriding _GET when provided by the system.